Splunk Search

Regular expression by specifying the beggining

nanachu
Path Finder

Hi all,

I have no idea.

I have many event like this.

/abc_d/efg_h/abcd_ef/1234/ghi_jk/
/abc_d/efg_h/zxcv_vf/56789/sdfg_h/
abc_d/egf_h/dfghh_h/5y865/ghjk_r/

/abc_d/efg_h/ is common.

so, I want to do regular expression by specifying the beggining.

I think it is working.

|rex field=_raw"(?<unitpath>[/abc_d/efg_h]/\w+_\w+/\w+/\w+_\w+)"

but Error happen.
I know I am wrong, but I have no idea.
I wish this was recognized as a field by default..........(;;)

Could you help me?

Thank you.

0 Karma
1 Solution

MuS
Legend

Hi nanachu,

If I understand it correct you can try this regex:

| rex "[\/]*abc_d\/[efg]+_h(?<unitpath>\/\w+_\w+\/\w+\/\w+_\w+)" 

That will match

/abcd_ef/1234/ghi_jk/
/zxcv_vf/56789/sdfg_h/
/dfghh_h/5y865/ghjk_r/

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

ivanreis
Builder

check if this what you are looking for.

I am extracting the individual fields after the common information(/abc_d/efg_h/)

| rex field=raw"\/abc_d\/efg_h\/(?P\w[a-zA-Z].)\/(?P\d.)\/(?P\w[a-zA-Z_]*)"

https://regex101.com/r/AhowHG/2

0 Karma

ivanreis
Builder

I did not realize this questions is already answered. I took sometime to refresh my browser.

0 Karma

nanachu
Path Finder

Thank you for helping me.
you are so kind.
Thank you.

0 Karma

MuS
Legend

Hi nanachu,

If I understand it correct you can try this regex:

| rex "[\/]*abc_d\/[efg]+_h(?<unitpath>\/\w+_\w+\/\w+\/\w+_\w+)" 

That will match

/abcd_ef/1234/ghi_jk/
/zxcv_vf/56789/sdfg_h/
/dfghh_h/5y865/ghjk_r/

Hope this helps ...

cheers, MuS

0 Karma

nanachu
Path Finder

Thank you for hepling me.
I thought only rex field = could be used.
I have to read documentation carefully again.
I learned a lot.

Thank you so much.

0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...